8505c83167206b75f9b21bf02cb6aca0cecf769842221bed094b5677f879612e

Resubmissions

24-05-2023 12:03

230524-n8dbgscd25 7

Analysis

max time kernel
143s
max time network
169s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
24-05-2023 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CraxRat V4 CRACK/CraxRat V4 CRACK.exe
Size

282KB
MD5

2d8459cff12270ee6e7a7f5ca60d2686
SHA1

67ae332887c21b0ef9aac516936abdd06b24aca1
SHA256

186dbbbb1c825368ec3a7e7a8ed8a118588a19c76dc874007175e57054525160
SHA512

f546d79e2fd0a693228ec05f3eef5a0c816ed67681b099b324b124ed4a38a40c70cf544589f04184e718b7c117142c8556425aa10e9470e66e2ba9cabb627b65
SSDEEP

3072:hRk+zfeGFUPTI7I+1zFK2my4cybWsAiTPR7P/K2Xj/skd6vknOivD3S9tvTTrbIY:hRzDjO2AS9JTrE88vwaNmSI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3228	XsdType.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3228 set thread context of 4792	3228	XsdType.exe	80

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1044	4412	WerFault.exe	70
5072	4412	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3400	powershell.exe
3400	powershell.exe
3400	powershell.exe
3228	XsdType.exe
3228	XsdType.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3420	crack.exe
Token: SeDebugPrivilege	4412	V4.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeIncreaseQuotaPrivilege	3400	powershell.exe
Token: SeSecurityPrivilege	3400	powershell.exe
Token: SeTakeOwnershipPrivilege	3400	powershell.exe
Token: SeLoadDriverPrivilege	3400	powershell.exe
Token: SeSystemProfilePrivilege	3400	powershell.exe
Token: SeSystemtimePrivilege	3400	powershell.exe
Token: SeProfSingleProcessPrivilege	3400	powershell.exe
Token: SeIncBasePriorityPrivilege	3400	powershell.exe
Token: SeCreatePagefilePrivilege	3400	powershell.exe
Token: SeBackupPrivilege	3400	powershell.exe
Token: SeRestorePrivilege	3400	powershell.exe
Token: SeShutdownPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeSystemEnvironmentPrivilege	3400	powershell.exe
Token: SeRemoteShutdownPrivilege	3400	powershell.exe
Token: SeUndockPrivilege	3400	powershell.exe
Token: SeManageVolumePrivilege	3400	powershell.exe
Token: 33	3400	powershell.exe
Token: 34	3400	powershell.exe
Token: 35	3400	powershell.exe
Token: 36	3400	powershell.exe
Token: SeDebugPrivilege	3228	XsdType.exe
Token: SeDebugPrivilege	4792	InstallUtil.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2980	2568	CraxRat V4 CRACK.exe	67
PID 2568 wrote to memory of 2980	2568	CraxRat V4 CRACK.exe	67
PID 2568 wrote to memory of 2980	2568	CraxRat V4 CRACK.exe	67
PID 2980 wrote to memory of 3420	2980	cmd.exe	69
PID 2980 wrote to memory of 3420	2980	cmd.exe	69
PID 2980 wrote to memory of 3420	2980	cmd.exe	69
PID 2980 wrote to memory of 4412	2980	cmd.exe	70
PID 2980 wrote to memory of 4412	2980	cmd.exe	70
PID 3228 wrote to memory of 4792	3228	XsdType.exe	80
PID 3228 wrote to memory of 4792	3228	XsdType.exe	80
PID 3228 wrote to memory of 4792	3228	XsdType.exe	80
PID 3228 wrote to memory of 4792	3228	XsdType.exe	80
PID 3228 wrote to memory of 4792	3228	XsdType.exe	80
PID 3228 wrote to memory of 4792	3228	XsdType.exe	80
PID 3228 wrote to memory of 4792	3228	XsdType.exe	80
PID 3228 wrote to memory of 4792	3228	XsdType.exe	80

C:\Users\Admin\AppData\Local\Temp\CraxRat V4 CRACK\CraxRat V4 CRACK.exe
"C:\Users\Admin\AppData\Local\Temp\CraxRat V4 CRACK\CraxRat V4 CRACK.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8JGQNP1V.bat" "C:\Users\Admin\AppData\Local\Temp\CraxRat V4 CRACK\CraxRat V4 CRACK.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\CraxRat V4 CRACK\res\Plugins\Android\crack.exe
    res/Plugins/Android/crack.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- - C:\Users\Admin\AppData\Local\Temp\CraxRat V4 CRACK\V4.exe
    V4.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4412 -s 1540
      4⤵
      Program crash
      PID:1044
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4412 -s 1520
      4⤵
      Program crash
      PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Users\Admin\AppData\Local\Data\sgtjpsny\XsdType.exe
C:\Users\Admin\AppData\Local\Data\sgtjpsny\XsdType.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Data\sgtjpsny\XsdType.exe

Filesize
621KB

MD5
53e9f3c1f7e1cfcf9439bc0835efd644

SHA1
fd91e335c9da742f0972107a240606bb81bbc675

SHA256
47e39ef464af14cffd9e2cd2951a98e61afab9e37431feb3ba0730bef88d00b4

SHA512
b8835578bdfc45be76774106d5298f22915bc1d84ca39b3d9a1a4708f4dcf02a8eec8e1184644c22cd1f77b088cc731e551158ff34bb5bfcb139a48f8478940f

Download Submit
C:\Users\Admin\AppData\Local\Data\sgtjpsny\XsdType.exe

Filesize
621KB

MD5
53e9f3c1f7e1cfcf9439bc0835efd644

SHA1
fd91e335c9da742f0972107a240606bb81bbc675

SHA256
47e39ef464af14cffd9e2cd2951a98e61afab9e37431feb3ba0730bef88d00b4

SHA512
b8835578bdfc45be76774106d5298f22915bc1d84ca39b3d9a1a4708f4dcf02a8eec8e1184644c22cd1f77b088cc731e551158ff34bb5bfcb139a48f8478940f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8JGQNP1V.bat

Filesize
59B

MD5
503336035db72c6c1eeb095b68aef6f5

SHA1
0e186a76e55b43ae227f61d3b435a3cb117741fd

SHA256
417539112ca5357dc46c5bd1f5ca059d02dfa6860cdeb962a0f693cb857beff4

SHA512
0e10bb686fe0c63b9ea13c2c0ea0de16444e0c8b913468f02edfc60254925154f04bbaa079f6afa809cb5692b669136ec158c19cad744a9b403294414447584e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xbcxlvyl.rny.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2568-125-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3228-4173-0x00000000018B0000-0x00000000018C0000-memory.dmp

Filesize
64KB

Download
memory/3228-2592-0x00000000018B0000-0x00000000018C0000-memory.dmp

Filesize
64KB

Download
memory/3400-2528-0x000001845C5A0000-0x000001845C5B0000-memory.dmp

Filesize
64KB

Download
memory/3400-2499-0x000001845C7B0000-0x000001845C826000-memory.dmp

Filesize
472KB

Download
memory/3400-2496-0x0000018444100000-0x0000018444122000-memory.dmp

Filesize
136KB

Download
memory/3400-2495-0x000001845C5A0000-0x000001845C5B0000-memory.dmp

Filesize
64KB

Download
memory/3400-2494-0x000001845C5A0000-0x000001845C5B0000-memory.dmp

Filesize
64KB

Download
memory/3420-191-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-181-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-145-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-149-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-147-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-151-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-153-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-155-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-157-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-159-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-161-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-163-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-167-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-169-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-171-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-173-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-175-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-177-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-179-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-2484-0x00000000052C0000-0x0000000005316000-memory.dmp

Filesize
344KB

Download
memory/3420-183-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-185-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-187-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-189-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-141-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-123-0x0000000000920000-0x00000000009C2000-memory.dmp

Filesize
648KB

Download
memory/3420-124-0x00000000051C0000-0x00000000052B8000-memory.dmp

Filesize
992KB

Download
memory/3420-126-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/3420-127-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-143-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-128-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-130-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-132-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-134-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-136-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-139-0x00000000051C0000-0x00000000052B1000-memory.dmp

Filesize
964KB

Download
memory/3420-2487-0x0000000005A10000-0x0000000005A64000-memory.dmp

Filesize
336KB

Download
memory/3420-2486-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/3420-393-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/3420-2485-0x00000000053B0000-0x00000000053FC000-memory.dmp

Filesize
304KB

Download
memory/4412-197-0x00000192E2020000-0x00000192E203C000-memory.dmp

Filesize
112KB

Download
memory/4412-665-0x00000192FC250000-0x00000192FC260000-memory.dmp

Filesize
64KB

Download
memory/4412-666-0x00000192FC250000-0x00000192FC260000-memory.dmp

Filesize
64KB

Download
memory/4412-1367-0x00000192FC250000-0x00000192FC260000-memory.dmp

Filesize
64KB

Download
memory/4412-460-0x00000192FC250000-0x00000192FC260000-memory.dmp

Filesize
64KB

Download
memory/4412-396-0x00000192FC250000-0x00000192FC260000-memory.dmp

Filesize
64KB

Download
memory/4412-369-0x00000192894D0000-0x000001928BF32000-memory.dmp

Filesize
42.4MB

Download
memory/4412-274-0x00000192FD650000-0x00000192FD6A0000-memory.dmp

Filesize
320KB

Download
memory/4412-271-0x00000192FD4A0000-0x00000192FD646000-memory.dmp

Filesize
1.6MB

Download
memory/4412-268-0x00000192FD1E0000-0x00000192FD216000-memory.dmp

Filesize
216KB

Download
memory/4412-263-0x00000192FC250000-0x00000192FC260000-memory.dmp

Filesize
64KB

Download
memory/4412-260-0x00000192FC250000-0x00000192FC260000-memory.dmp

Filesize
64KB

Download
memory/4412-203-0x00000192FC160000-0x00000192FC19C000-memory.dmp

Filesize
240KB

Download
memory/4412-201-0x00000192FC000000-0x00000192FC02C000-memory.dmp

Filesize
176KB

Download
memory/4412-195-0x00000192E1EC0000-0x00000192E1ECC000-memory.dmp

Filesize
48KB

Download
memory/4412-166-0x00000192E1E10000-0x00000192E1E11000-memory.dmp

Filesize
4KB

Download
memory/4412-164-0x00000192FC250000-0x00000192FC260000-memory.dmp

Filesize
64KB

Download
memory/4412-138-0x00000192DF200000-0x00000192E1AF4000-memory.dmp

Filesize
41.0MB

Download
memory/4792-4920-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/4792-6569-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download